Skip to content ↓ | Skip to navigation ↓

Organizations receive mass amounts of data daily regarding cyber security risks. Too many companies set their cyber security defense strategy based on news stories, vendors and/or a “whack a mole” approach.

My discussion reviews a unique cyber security defensive maturity model (CSDMM) providing security professionals a much clearer understanding of their defensive maturity and capability when deciding what technologies to implement and in what order.

The CSDMM assists organizations with understanding the status of their cyber defense posture. Cyber defense is a journey, and organizations must understand where they fit along the voyage as well as where and what direction they should take.

Many cyber security solutions cost substantial amounts of money, time, and expertise, and not all technologies apply to all entities. Understanding what, where and when is critical for the most secure and cost-effective defense per organization.

This model plots technology families within a scatter plot based on an X-axis of defensive maturity and a Y-axis of capability level, thus assisting firms in knowing where they are and where they want to go. My discussion covers all families with a detailed description as to what areas of security they cover as well as in some instances the products and vendors that cover specific areas.

  • Defensive Maturity: Distance down the X-axis towards substantial cyber security defense. The further a technology product resides to the right, the more mature an organization can declare its defense maturity level, i.e. have a SOC > maturity than solely implementing encryption.
  • Capability Level: This covers technology sophistication as well as the uniqueness of technology used. As an implementation provides greater impact on an organization’s defense and the newer the technology is in the marketplace, the higher up the Y-axis the technology family resides. The fewer deployments live across industry, the higher the capability based on complexity, cost and defensive coverage, i.e. artificial intelligence > capability than encryption.

This model does not currently have a numeric scale; however, there’s work underway that will create a scoring methodology similar to CMMI.

Certain components of the model, such as encryption and anomalous behavior, cover multiple products and areas. Another facet of the model revolves around certain technology families falling under process and/or software solutions. Most of this defensive maturity model includes technologies that fall under the umbrella of infrastructure.

Each of these areas plays a different role with the overall cyber security defensive posture, and organizations must understand where they are with each of these, where they want to go and ultimately how to get there.

The CSDMM plays a critical role in an organization’s understanding and design of a cyber security roadmap. When workshopping the plan for future solutions, this model can play a critical role in educating executives as to current state and then planning for future state. Assessing and strategizing where an organization resides enables the company to properly spend their time, money and staff in the proper direction to fill gaps that exist with current deployments.

The BSides Idaho Falls session Cyber Security Defensive Maturity Model review provides cyber security professionals a model to assess current state and begin planning on future implementations to cover an all-encompassing defensive posture. While cyber security is a journey, there are critical checkpoints along the way, and every business needs to understand what areas require additional coverage.

Attendance at this session should provide clarity to participants in relation to where their organizations reside and where they want to go. It should also provide the beginning discussion as to determining what is next to further their cyber security defensive position.


Eric JefferyAbout the Author: Eric has over 25 years’ IT experience with more than 20 focusing on networks, network security, and network design and implementation. Mr. Jeffery exhibits deep technical expertise with an extensive business understanding and background making him a distinct information technology professional. He has worked in numerous industries including, and not limited to, healthcare, retail, entertainment, manufacturing, telecommunications, and technology. Eric has enjoyed success in numerous roles including and not limited to network engineer, senior manager of systems engineering, Director of IT, most recently as a managing consultant. Eric is a published author and speaker including articles in multiple publications for numerous industries. Eric lives in southern Colorado with his wife and has four children. He enjoys hockey, rock music festivals/concerts and video games. 

The comments, suggestions, and statements in this article are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.